idnits 2.17.1 draft-ietf-mboned-ipv4-mcast-unusable-00.txt: ** The Abstract section seems to be numbered -(327): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing revision: the document name given in the document, 'draft-ietf-mboned-ipv4-mcast-', does not give the document revision number ~~ Missing draftname component: the document name given in the document, 'draft-ietf-mboned-ipv4-mcast-', does not seem to contain all the document name components required ('draft' prefix, document source, document name, and revision) -- see https://www.ietf.org/id-info/guidelines#naming for more information. == Mismatching filename: the document gives the document name as 'draft-ietf-mboned-ipv4-mcast-', but the file name used is 'draft-ietf-mboned-ipv4-mcast-unusable-00' == There are 2 instances of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 3 instances of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (July 2003) is 7590 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1519 (ref. 'CIDR') (Obsoleted by RFC 4632) ** Obsolete normative reference: RFC 1700 (Obsoleted by RFC 3232) ** Obsolete normative reference: RFC 3330 (Obsoleted by RFC 5735) -- Possible downref: Non-RFC (?) normative reference: ref. 'GHOST' -- Possible downref: Non-RFC (?) normative reference: ref. 'IMCAST' -- Possible downref: Non-RFC (?) normative reference: ref. 'ALTIRIS' ** Downref: Normative reference to an Experimental draft: draft-ietf-msdp-spec (ref. 'MSDP') -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' Summary: 8 errors (**), 1 flaw (~~), 5 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft B. Nickless 2 Document: draft-ietf-mboned-ipv4-mcast- Argonne National 3 unusable-00.txt Laboratory 4 Expires: January 2004 July 2003 6 IPv4 Multicast Unusable Group And Source Addresses 8 1. Status of this Memo 10 This document is an Internet-Draft and is in full conformance with 11 all provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering 14 Task Force (IETF), its areas, and its working groups. Note that 15 other groups may also distribute working documents as Internet- 16 Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six 19 months and may be updated, replaced, or obsoleted by other documents 20 at any time. It is inappropriate to use Internet-Drafts as 21 reference material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 2. Abstract 31 Some IPv4 multicast datagrams should not be routed, either within an 32 administrative domain or between administrative domains. A list of 33 those restrictions is supplied here. These restrictions SHOULD be 34 respected by IPv4 multicast applications and included in network 35 device access control lists. IANA should permanently reserve 36 certain address ranges. 38 3. Table of Contents 40 1. Status of this Memo.............................................1 41 2. Abstract........................................................1 42 4. Conventions used in this document...............................2 43 5. Background......................................................2 44 6. Specific (Source,Group) Restrictions............................2 45 7. Unusable Locally................................................3 46 8. Unusable Inter-domain...........................................4 47 9. No Flooding of Knowledge of Active Sources......................5 48 10. IANA Considerations............................................6 49 11. Security Considerations........................................6 50 And Source Addresses 52 12. Acknowledgements...............................................6 53 13. References.....................................................6 54 12. Author's Address...............................................7 56 4. Conventions used in this document 58 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 59 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 60 document are to be interpreted as described in RFC-2119 [RFC2119]. 62 5. Background 64 IPv4 multicast [MCAST] is an internetwork service that allows IPv4 65 datagrams sent from a source to be delivered to one or more 66 interested receiver(s). That is, a given source sends a packet the 67 network with a destination address 224/4 CIDR [CIDR] range. The 68 network transports this packet to all receivers (replicated where 69 necessary) that have registered their interest in receiving these 70 packets. 72 Some combinations of Source Address and Group Address SHOULD NOT be 73 routed for various reasons. This note describes those restrictions 74 so they can be: 76 - Avoided by applications, especially those that choose multicast 77 groups on a random or ad-hoc basis. 78 - Properly reflected in network device restriction lists. 80 6. Specific (Source,Group) Restrictions 82 Following is a list of (Source,Group) ranges that should not be used 83 or routed in certain circumstances. Each range is associated with a 84 brief explanation and a cross-reference to a fuller explanation to 85 be found in following sections of this note. 87 (*,224.0.1.2/32) SGI-Dogfight Section 8.4 88 (*,224.0.1.3/32) Rwhod Section 8.5 89 (*,224.0.1.22/32) SVRLOC Section 8.4 90 (*,224.0.1.24/32) Microsoft-DS Section 8.4 91 (*,224.0.1.35/32) SVRLOC-DA Section 8.5 92 (*,224.0.1.39/32) CISCO-RP-ANNOUNCE Section 8.5 93 (*,224.0.1.40/32) CISCO-RP-DISCOVERY Section 8.5 94 (*,224.0.2.2/32) SUN-RPC Section 8.4 95 (*,224.77.0.0/16) Norton Ghost Section 8.3 96 (*,224.128.0.0/24) Control plane of IGMP snoopers Section 7.1 97 (*,225.0.0.0/24) Control plane of IGMP snoopers Section 7.1 98 (*,225.1.2.3/32) Altiris Section 8.3 99 (*,225.128.0.0/24) Control plane of IGMP snoopers Section 7.1 100 (*,226.0.0.0/24) Control plane of IGMP snoopers Section 7.1 101 And Source Addresses 103 (*,226.77.0.0/16) Norton Ghost Section 8.3 104 (*,226.128.0.0/24) Control plane of IGMP snoopers Section 7.1 105 (*,227.0.0.0/24) Control plane of IGMP snoopers Section 7.1 106 (*,227.128.0.0/24) Control plane of IGMP snoopers Section 7.1 107 (*,228.0.0.0/24) Control plane of IGMP snoopers Section 7.1 108 (*,228.128.0.0/24) Control plane of IGMP snoopers Section 7.1 109 (*,229.0.0.0/24) Control plane of IGMP snoopers Section 7.1 110 (*,229.128.0.0/24) Control plane of IGMP snoopers Section 7.1 111 (*,230.0.0.0/24) Control plane of IGMP snoopers Section 7.1 112 (*,230.128.0.0/24) Control plane of IGMP snoopers Section 7.1 113 (*,231.0.0.0/24) Control plane of IGMP snoopers Section 7.1 114 (*,231.128.0.0/24) Control plane of IGMP snoopers Section 7.1 115 (*,232.0.0.0/24) Control plane of IGMP snoopers Section 7.1 116 (*,232.128.0.0/24) Control plane of IGMP snoopers Section 7.1 117 (*,232.0.0.0/8) Source-Specific Multicast Section 9.1 118 (*,233.0.0.0/24) Control plane of IGMP snoopers Section 7.1 119 (*,233.128.0.0/24) Control plane of IGMP snoopers Section 7.1 120 (*,234.0.0.0/24) Control plane of IGMP snoopers Section 7.1 121 (*,234.42.42.42/32) Phoenix/StorageSoft ImageCast Section 8.3 122 (*,234.128.0.0/24) Control plane of IGMP snoopers Section 7.1 123 (*,234.142.142.42/31) Phoenix/StorageSoft ImageCast Section 8.3 124 (*,234.142.142.44/30) Phoenix/StorageSoft ImageCast Section 8.3 125 (*,234.142.142.48/28) Phoenix/StorageSoft ImageCast Section 8.3 126 (*,234.142.142.64/26) Phoenix/StorageSoft ImageCast Section 8.3 127 (*,234.142.142.128/29) Phoenix/StorageSoft ImageCast Section 8.3 128 (*,234.142.142.136/30) Phoenix/StorageSoft ImageCast Section 8.3 129 (*,234.142.142.140/31) Phoenix/StorageSoft ImageCast Section 8.3 130 (*,234.142.142.142/32) Phoenix/StorageSoft ImageCast Section 8.3 131 (*,235.0.0.0/24) Control plane of IGMP snoopers Section 7.1 132 (*,235.128.0.0/24) Control plane of IGMP snoopers Section 7.1 133 (*,236.0.0.0/24) Control plane of IGMP snoopers Section 7.1 134 (*,236.128.0.0/24) Control plane of IGMP snoopers Section 7.1 135 (*,237.0.0.0/24) Control plane of IGMP snoopers Section 7.1 136 (*,237.128.0.0/24) Control plane of IGMP snoopers Section 7.1 137 (*,238.0.0.0/24) Control plane of IGMP snoopers Section 7.1 138 (*,238.128.0.0/24) Control plane of IGMP snoopers Section 7.1 139 (*,239.0.0.0/8) Administratively Scoped Groups Section 8.1 140 (*,239.0.0.0/24) Control plane of IGMP snoopers Section 7.1 141 (*,239.128.0.0/24) Control plane of IGMP snoopers Section 7.1 143 (0.0.0.0/0,*) Link Local Addresses Section 8.2 144 (10.0.0.0/8,*) Private Address Space Section 8.2 145 (127.0.0.0/8,*) Loopback Address Space Section 8.2 146 (169.254.0.0/8,*) Link Local Addresses Section 8.2 147 (172.16.0.0/12,*) Private Address Space Section 8.2 148 (192.0.2.0/24,*) Documentation/Example Section 8.2 149 (192.168.0.0/16,*) Private Address Space Section 8.2 151 7. Unusable Locally 153 Multicast datagrams that match the criteria in this section SHOULD 154 NOT be used, even on local, unrouted subnetworks. 156 And Source Addresses 158 7.1 Groups processed in the control plane of IGMP-snooping switches. 160 [MCAST] describes the mapping of IPv4 Multicast Group addresses to 161 Ethernet MAC addresses, as follows: 163 An IP host group address is mapped to an Ethernet multicast 164 address by placing the low-order 23-bits of the IP address 165 into the low-order 23 bits of the Ethernet multicast address 166 01-00-5E-00-00-00 (hex). Because there are 28 significant 167 bits in an IP host group address, more than one host group 168 address may map to the same Ethernet multicast address. 170 Multicast group addresses in the 224.0.0.0/24 range are used for 171 local subnetwork control. This maps to the Ethernet multicast 172 address range 01-00-5E-00-00-XX, where XX is 00 through FF. 173 Ethernet frames within this range are always processed in the 174 control plane of many popular network devices, such as IGMP-snooping 175 switches. 177 Because of the many-to-one mapping of IPv4 Multicast Group Addresses 178 to Ethernet MAC addresses, it is possible to overwhelm the control 179 plane of network devices by sending to group addresses that map into 180 the 01-00-5E-00-00-XX (hex) range. 182 IGMP-snooping network devices must also flood these frames to all 183 outgoing ports, so the damage may extend to end systems and routers. 185 8. Unusable Inter-domain 187 Multicast datagrams that match the criteria in this section SHOULD 188 NOT be routed between administrative domains. 190 Section 7 (Unusable Locally) is incorporated here by reference. 192 8.1 Administratively Scoped Addresses 194 RFC 2366 [ADMIN] defines 239.0.0.0/8 for use within an 195 administrative domain. As such, datagrams with group addresses that 196 match 239.0.0.0/8 SHOULD NOT be passed between administrative 197 domains. 199 8.2 Special Use IPv4 Source Addresses 201 RFC 1918 [PRIVATE] defines certain ranges of IPv4 unicast addresses 202 that can be used within an administrative domain. Multicast 203 datagrams are no exception to the rule that datagrams addressed 204 within these ranges SHOULD NOT be passed between administrative 205 domains. 207 127.0.0.0/8 is widely used for internal host addressing, and is 208 generally not valid on datagrams passed between hosts. 210 And Source Addresses 212 0.0.0.0/8 and 169.254.0.0/16 are valid only in the context of local 213 links. Such source addresses are not valid for datagrams passed 214 between networks. [RFC 1700] [RFC 3330] 216 192.0.2.0/24 is reserved for documentation and example code. 217 [RFC 3330] 219 8.3 Personal Computer Deployment and Control Applications 221 The Norton Ghost [GHOST], Phoenix/StorageSoft ImageCast [IMCAST], 222 and Altiris [ALTIRIS] applications are used to duplicate files and 223 filesystems from servers to clients, and to otherwise maintain 224 groups of Personal Computers. They are intended to be used on a 225 local subnet or within an administrative domain, but the default 226 addresses used by the software are not within the administratively- 227 scoped range 239.0.0.0/8 (see Section 8.1 above). 229 8.4 Known Insecure Services 231 Applications that use certain multicast group addresses have been 232 demonstrated to be vulnerable to exploitation, leading to serious 233 security problems. 235 8.5 Internal Resource Discovery 237 Applications that use certain multicast group addresses are used to 238 discover resources within an administrative domain. 240 9. No Flooding of Knowledge of Active Sources 242 In the absence of explicit requests by interested receivers, 243 multicast datagrams that match the criteria in this section SHOULD 244 NOT be transmitted across administrative domain boundaries. 246 The knowledge of active sources that match the criteria in this 247 section SHOULD NOT be passed between administrative domains, for 248 example through the operation of the Multicast Source Discovery 249 Protocol (MSDP) [MSDP]. 251 Sections 7 and 8 are incorporated here by reference. 253 9.1 Source-Specific Multicast 255 Multicast datagrams addressed within 232.0.0.0/8 (See [IANA]) are 256 used in the Source-Specific Multicast regime. Interested recipients 257 request traffic from specific sources using specific group 258 addresses. Knowledge of active sources is not flooded throughout 259 the Internet, as it is the responsibility of the application to 260 discover the active sources. 262 And Source Addresses 264 10. IANA Considerations 266 Due to the issue outlined in Section 7.1 with 233.0.0.0/24 and 267 233.128.0.0/24 above, IANA SHOULD NOT allocate AS 0 nor AS 32768 to 268 any Autonomous System or Registry. 270 IANA SHOULD reserve the 31 address blocks referenced in Section 7. 272 11. Security Considerations 274 Low to moderate multicast traffic levels, using addresses within 275 these Section 7.1 Multicast Group Address ranges, can result in 276 severe denial of service on network devices that process frames with 277 Ethernet MAC addresses in the 01-00-5E-00-00-XX (hex) range in the 278 control plane. 280 Interdomain forwarding of multicast traffic generated by certain 281 multicast applications (see Section 8.3) can result in internal 282 enterprise data being replicated far beyond that which was intended. 284 Interdomain forwarding of multicast traffic on certain multicast 285 groups (see Section 8.4) can lead to compromise of host systems. 287 12. Acknowledgements 289 The author relied heavily on a list of problematic groups maintained 290 by Cisco Systems, especially Beau Williamson and his colleagues. 292 Jay Ford and Alan Croswell provided references for the Norton Ghost 293 restriction. 295 Leonard Giuliano, John Kristoff, Alastair Matthews, and Pekka Savola 296 provided helpful comments, corrections, and suggestions. 298 This work was supported by the Mathematical, Information, and 299 Computational Sciences Division subprogram of the Office of Advanced 300 Scientific Computing Research, U.S. Department of Energy, under 301 Contract W-31-109-Eng-38. 303 13. References 305 [RFC2119] RFC 2119: Key Words for use in RFCs to Indicate 306 Requirement Levels. S. Bradner. March 1997. 308 [MCAST] RFC 1112: Host extensions for IP multicasting. S.E. Deering. 309 Aug-01-1989. 311 [CIDR] RFC 1519: Classless Inter-Domain Routing (CIDR): an Address 312 Assignment and Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. 313 Varadhan. September 1993. 315 And Source Addresses 317 [ADMIN] RFC 2365: Administratively Scoped IP Multicast. D. Meyer. 318 July 1998. 320 [PRIVATE] RFC 1918: Address Allocation for Private Internets. Y 321 Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. 322 February 1996. 324 [RFC 1700] Reynolds, J. and J. Postel, �Assigned Numbers�, STD 2, 325 RFC 1700, October 1994. 327 [RFC 3330] �Special-Use IPv4 Addresses�, IANA, RFC 3330, September 328 2002. 330 [GHOST] Symantec. 331 http://service2.symantec.com/SUPPORT/ghost.nsf/docid/ 332 1999033015222425 334 [IMCAST] Phoenix Technologies. 335 http://www.storagesoft.com/products/imagecast 337 [ALTIRIS] Altiris 338 http://www.altiris.com/support/docs/altirisexpress/ 339 axtechref41.pdf 341 [MSDP] Multicast Source Discovery Protocol. Bill Fenner and David 342 Meyer, Editors. Work in Progress. draft-ietf-msdp-spec-20.txt 344 [IANA] Internet Assigned Numbers Authority. 345 http://www.iana.org/assignments/multicast-addresses 347 14. Author's Address 349 Bill Nickless 350 Argonne National Laboratory 351 9700 South Cass Avenue #221 Phone: +1 630 252 7390 352 Argonne, IL 60439 Email: nickless@mcs.anl.gov